Encrypted authentication via PAM
Jeff Williams
willi290 at tc.umn.edu
Mon Sep 10 01:01:08 GMT 2001
Hello,
I am hoping to do something out of the ordinary for authentication and
would like any advice people have.
I would like to have users (NT and 2000) login to a SAMBA PDC and have their
username and NT password hash (in the password field) sent along into
PAM_Auth_Radius or PAM_Radius_Auth to go to a RADIUS server that will check
against the NT MD4 hash of the password. Then the result would be sent back
to PAM and into SAMBA as a grant or deny.
I do not control the RADIUS server (or the password list), or I would be able
to solve this easily with the passwords. I convinced the data owners to add
this extra NT PW Hash attribute in case I get this to work. Password changes
all go through a different system.
I know that plain text logins can use PAM, and that normally encrypted ones
don't.
I've looked at both the ntlm v1 and plaintext sections of smbd and
am a bit overwhelmed. Are there multiple pieces I would change or just the one
I found? Is the 8 bit piece that is added to the 16 bits going to be a problem
in checking against an NT MD4 pw hash? Will session related code give me any
trouble?
I thank all who respond and all who have worked on SAMBA.
-JTW
More information about the samba-technical
mailing list